Cyber Threat Intelligence

I wrote about Collective Intelligence Framework years ago. I think it’s a great idea because it’s an easy way to share malicious activities such as IP addresses, hashes, certificates and domains which are used to attack users and companies. In addition, we can use this information along with SIEM, firewall and IDS to detect and block attacks quickly. Therefore, it’s highly recommended to install collective intelligence tools to have visibility of malicious attacks.

Maybe, you are wondering what is collective intelligence? How can I install collective intelligence tools? Firstly, you have to know about Cyber Threat Intelligence. You have to know there are three types of threat intelligence. Tactical or technical intelligence which can be used to detect attacks. Operational which can be used to know the motivation and capabilities of threat actors. Strategic which can be used to drive high-level organizational strategy. Lately, once you know about threat intelligence, you can deploy tools.

The first type of Cyber Threat Intelligence is the easier to deploy. Technical intelligence is mainly Indicators of Compromise (IoC). There are lots of tools and services which are really useful to know about malicious IP addresses, malicious file types, malicious domains, malicious SSL certificates, etc. All of these IoC are useful to detect attacks. For instance, OTX from Alienvault, Threat Campaign from F5 Networks or FortiGuard from Fortinet are services which help us to detect and mitigate attacks.

There are lots of security tools such as network firewall, WAF or SIEM which use IoC to detect attacks. If there were no IoC, these security tools won’t know, for instance, which IP address is malicious and which is benign? Therefore, sharing this information and these IoC with security tools is mandatory today to identify attacks. Actually, I think, correlation engines, which are installed in SIEM appliances, are mandatory to know all the bad things that are inside companies networks.

There is an interesting tool, which I’m going to install soon, that it’s really useful. MISP or Malware Information Sharing Platform is an open source threat intelligence platform where there are lots of IoC. This is a project funded by the European Union which started around June 2011 and it’s still alive. We can use MISP for sharing, storing and correlating IoC of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

To sum up, cyber threat intelligence is increasingly used. Technical intelligence and IoC are widely used by most companies. However, I think, there will be a Next Generation of Cyber Threat Intelligence where Operational and Strategic intelligence will become more important than Tactical intelligence and most companies will want to have a threat sharing platform to know who, when, why and how they are attacked.

Thanks my friends!! do you know about Cyber Threat Intelligence?